1. Field of the Invention
This invention pertains in general to computer security and in particular to detecting malware and/or other types of malicious software.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer.
An approach used by security software to detect classic malware is the behavior monitoring approach. The behavior monitoring approach consists of monitoring the behavior of individual files on a computer system. If a file performs a malicious behavior, the file is convicted as malware. To evade security software, attackers have developed malware that is comprised of multiple files. For example, malware may be comprised of multiple executable files, dynamic link library files, and data files. Each file of the malware helps perform the attack on the computer system. However, the behavior performed by each file is not malicious enough for the file to be convicted by security software. Thus, the security software is not able to detect and stop the attack by the malware.
Accordingly, there is a need in the art for ways to detect malware comprised of multiple files.